Site home page
Get alerts when Linktionary is updated
Book updates and addendums
Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)
Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!
Contribute to this site
Electronic licensing info
RADIUS (Remote Authentication Dial-In User Service)
Related Entries Web Links New/Updated Information
Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.
RADIUS is a security service for authenticating and authorizing dial-up users. A typical enterprise network may have an access server attached to a modem pool, along with a RADIUS server to provide authentication services. Remote users dial into the access server, and the access server sends authentication requests to the RADIUS server. The RADIUS server authenticates users and authorizes access to internal network resources. Remote users are clients to the access server and the access server is a client to the RADIUS server.
RADIUS was originally developed by Livingston Enterprises for their PortMaster series of network access servers. Lucent Technologies bought Livingston in October 1997, and now claims the software was "invented by the Remote Access Business Unit of Lucent Technologies in 1992." The remainder of this topic draws on RADIUS descriptions provided by Lucent.
Note that RADIUS is an open protocol and is distributed as source code. It is defined in the following Internet RFCs. See "NAS (Network Access Server)" for related RFCs.
Because RADIUS is open, it can be adapted to work with third-party security products or proprietary security systems. Any access server that supports the RADIUS client protocol can communicate with a RADIUS server.
RADIUS is often referred to as RADIUS AAA, referring to its authentication, authorization, and accounting functions. "Accounting" refers to the ability of RADIUS to gather information about user sessions that can be processed for billing and network analysis. The basic RADIUS authentication system uses its own user database, but other sources of user information include UNIX password files, Sun's NIS (Network Information Service), and directories that can be accessed via LDAP (Lightweight Directory Access Protocol).
The most important feature of RADIUS is its distributed security model. Basically, the communication server (access server or NAS) is separate from the authentication server. This approach is more scalable and secure. The user account information is stored on a central RADIUS server that can be accessed by any number of access servers. This distributed approach is essential for large ISPs that handle hundreds or thousands of dial-up accounts from multiple access servers. An example is pictured in Figure R-1.
[ANCHOR HERE: Figure 1]
Note how the access server is separated from the RADIUS server in a distributed configuration. Access servers typically support dial-up asynchronous or ISDN connections. The access servers talk to the RADIUS servers via the RADIUS protocol, which is outlined in the previously mentioned RFCs.
The RADIUS authentication mechanism works as follows:
If a user is validated and an acknowledgment is sent, additional information about the user may be sent as well, such as link requirements and/or policy information that defines service levels for the user. Filters may also be included to restrict access to parts of the network.
Lucent's PortAuthority family of RADIUS servers extends RADIUS with extensible, plug-in modules that enable specific policies. PortAuthority implements policies with what is called the PolicyFlow architecture. The plug-ins can be chained together in a building-block approach. PolicyFlow then defines and manages policy administration across the modules. The modules are Java class files. For example, an ISP implementing PortAuthority can easily switch over from a UNIX password file to a system that stores user data in an LDAP-accessible directory without having to make an immediate migration.
The IETF is evolving RADIUS with its new DIAMETER protocol, which expands on RADIUS with new features, such as the ability to ask for additional logon information beyond the basic authentication, support for roaming users, and the ability to exchange user accounting information among different ISPs. See "DIAMETER" and "Roaming." Also see "Accounting on the Internet." Several topics describe environments in which RADIUS is used. See "Internet Architecture and Backbone" and refer to the section "PoPs and Internet Data Center." Also see "PoP (Point of Presence)" and "L2TP (Layer 2 Tunneling Protocol)."
Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.